Secure communications

In a production environment, we strongly suggest setting up secure communications between the manager and repository applications. This can be done by using a server certificate for the repository application and configuring the manager application to trust the repository server certificate.

In this guide, we will:

  1. create a custom certificate authority (CA)
  2. create a certificate signing request (CSR)
  3. create a signed certificate from the CSR using our custom CA from step 1
  4. configure the RDepot repository application to use the certificate and private key
  5. configure the RDepot manager application to use the CA certificate
  6. create a new repository and test the connection between manager and repository

Creating a custom certificate authority

We can be our own certificate authority (CA) by creating a self-signed root CA certificate:

# generate a self-signed root CA certificate:
#   output in X.509 certificate structure
#   use SHA-2 256 digest
#   valid for 10 years
#   use RSA with 2048 bits as the algorithm
#   save the private key to file ca.key
#   save the root CA certificate to file ca.crt
openssl req -x509 -sha256 -days 3650 -newkey rsa:2048 -keyout ca.key -out ca.crt

OpenSSL will prompt for a pass phrase to secure your private key and will request some additional (mostly optional) information. Two files should have been created: ca.key and ca.crt.

Creating a certificate signing request

Before generating a certificate signing request (CSR), we will need to generate a private key:

openssl genrsa -out repo.key 2048

The above command generates a new private key using the RSA algorithm with 2048 bits and stores it in the file repo.key.

In order to sign the server certificate using the CA, we need a CSR. The CSR includes the public key and some additional (mostly optional) information. Generating the CSR uses the newly generated private key (repo.key) and can be done using the following command:

openssl req -key repo.key -new -out repo.csr

OpenSSL will prompt for some additional (mostly optional) information. It is important however to specify the Common Name (e.g. server FQDN or YOUR name) and make sure it matches the hostname of the repository API server. When using our Docker Compose deployment, the hostname of the repository server within the Docker RDepot network will be oa-rdepot-repo. In this case, a value of oa-rdepot-repo should be used as the Common Name since this is what the RDepot manager application will use as the hostname when connecting to the repository API.

Finally, the private key should be readable by the repository application process. Executing chown 2000:2000 repo.key will change ownership of the private key file to the user and the group that is running the repository application process. You might need additional rights to change the ownership (using sudo or something similar). The group and user IDs (2000) are defined here.

Two files should have been created: repo.key and repo.csr.

Creating a signed certificate

Now that we have a CSR, we can finally sign our request and generate the server certificate. Before doing so, it is recommended to create an additional configuration file for the SAN extension properties. SAN allows you to configure and secure multiple IP addresses or domain names using the same certificate.

Create a file called san.ext with the following contents:

authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:FALSE
subjectAltName = @alt_names
[alt_names]
DNS.1 = oa-rdepot-repo

Feel free to include additional IP addresses or domain names by appending to the bottom of the above file (e.g. DNS.2 = my-repo.com).

Then, execute OpenSSL to generate our repository server certificate:

openssl x509 -req -CA ca.crt -CAkey ca.key -in repo.csr -out repo.crt -days 365 -CAcreateserial -extfile san.ext

One file should have been created: repo.crt.

Configuring the RDepot repository application

This guide assumes you are using our Docker Compose demo deployment.

Map the previously generated server certificate and private key as volumes in the docker-compose.yaml file:

services:
  repo:
    volumes:
    - repository:/opt/rdepot/
    - ./docker/compose/repo/application.yaml:/opt/repo/application.yml:ro
    - ./repo.crt:/opt/repo/server.crt:ro
    - ./repo.key:/opt/repo/server.key:ro

Then, edit the application configuration file as follows:

server:
  port: 8443
  ssl:
    enabled: true
    bundle: repo-api
spring:
  ssl:
    bundle:
      pem:
        repo-api:
          options:
            protocol: TLS
            enabled-protocols: TLSv1.3
          keystore:
            certificate: /opt/repo/server.crt
            private-key: /opt/repo/server.key

Configuring the RDepot manager application

Map the previously generated root CA certificate as a volume in the docker-compose.yaml file:

services:
  backend:
    volumes:
    - repositories:/opt/rdepot/repositories/
    - snapshots:/opt/rdepot/generated/
    - queue:/opt/rdepot/new/
    - ./docker/compose/backend/application.yaml:/opt/rdepot/application.yml
    - ./ca.crt:/opt/rdepot/ca.crt:ro

Then, edit the application configuration file as follows:

spring:
  ssl:
    bundle:
      pem:
        repo-api-client:
          truststore:
            certificate: "/opt/rdepot/ca.crt"
repository:
  api:
    ssl:
      enabled: true

Testing the new setup

After following all of the above, the deployment can finally be started by executing docker-compose up. In your browser, go to http://localhost and log in using the following credentials:

  • username: einstein
  • password: testpassword

Go to the repositories page at http://localhost/repositories and click on the blue + icon (top right) to create a new repository.

In the Server address field, enter https://oa-rdepot-repo:8443/r/r-public and click on the test button to the left of the input field. It should mention that the server address is correct.

Conclusion

To conclude, in this guide we have setup secure communications between the RDepot manager application and an RDepot repository application. This was done using openssl (for generating the necessary keys and certificates) and the provided Docker Compose demo deployment of RDepot. Additionally, RDepot can be configured using only a couple of properties, both in the RDepot manager application properties and in the RDepot repository application properties. A server key and certificate was installed and configured on the repository server side and a CA certificate was installed and configured to be trusted on the manager client side. Specifying the repository server address now should include https instead of http and port 8443 instead of port 8080 by default.